Report: Half of Breaches Trace to Hacking, Malware Attacks

Strains of malware commonly seen in 2018 by Beazley when it investigated data breaches

Beazley Breach Response Services, a unit of global insurance company Beazley, reports that nearly half of the more than 3,300 breaches it investigated last year traced to a hack attack or malware infection. And half of those hacking/malware attacks were tied to business email compromise schemes.

Many Office 365 rollouts fail to use multifactor authentication, which means attackers can attempt to gain access to a large number of accounts using credential-stuffing attacks or dictionary lists of weak passwords, he says. In addition, many firms fail to have logging in place so that they can ascertain how a breach began or what was stolen (see: Business Email Compromise: Must-Have Defenses).

Beazley says one Office 365 breach that it investigated, for example, resulted in attackers accessing more than 100 employees' inboxes. Subsequently, digital forensic investigators couldn't rule out attackers having potentially downloaded everything in each of those mailboxes.

That created a data breach notification nightmare. "In order for counsel and the company to determine if there was an obligation to notify affected clients, 900,000 files were programmatically searched for [personally identifying information]," Beazley says. "The search hits required a document review of tens of thousands of files in order to identify affected individuals and create an address list. Ultimately, 60,000 clients or prospective clients were notified."

The total cost of the breach was nearly $2 million in legal and review fees as well as $100,000 to notify the clients, backed by a call center, and to pay for credit monitoring services for victims.

Pivoting From Inboxes

BEC schemes have evolved into highly targeted attacks that often involve hackers gaining access to a legitimate email account and then using to be distribute a high volume of BEC lures.

Attackers have become more adept at stealing larger amounts of money. "A few years ago, fraudulent transfers were typically under $15,000, but attackers have gotten far bolder," with Beazley saying it's seen fraudulent transfers that range from a few thousand dollars up to tens of millions of dollars.

Direct Deposits - for Hackers

Attackers often pivot from a hacked email account to other corporate services, including HR and payroll self-service portals, BBR Services warns.

"Attackers search the compromised inboxes to determine what portal the company uses, set up inbox forwarding rules to redirect any email from the portal directly to trash, reset the password for the portal if it wasn't the same as for email, and then change the direct deposit to the attacker's account," BBR Services warns. "Oftentimes users would not realize for one, two or even three pay periods that they were not receiving paychecks."

Common Search Terms Used by Attackers Against a Compromised Account

Source: Ankura, via Beazley

Breaches Fuel Fraud

Regardless of how a company gets hacked, the resulting data breach can help fuel many different types of fraud.

For example, remote purchase - including card-not-present - fraud in the U.K. led to 2018 losses of £506 million ($670 million), says banking industry trade association UK Finance, which represents more than 250 British financial services firms.

"Intelligence suggests that this type of fraud results mainly from the criminal use of card details that have been obtained through data compromise, including third-party data breaches, phishing emails and scam text messages," UK Finance says.

To help, the industry has put into place a new Banking Protocol, which UK Finance says offers a "rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place."

Every British police force has access to the system, which in 2018 helped prevent £ 38 million ($50 million) in fraud and facilitated the arrest of 231 suspects.

Beazley, meanwhile, says banks are also becoming more adept at stopping fraud.

"One promising development over the past year has been the banks' ability to freeze the transaction and return the funds if they are contacted quickly enough - within 24 to 48 hours - by the targeted organization," it says.

Ransomware Pummels Healthcare Sector

Not all attacks, of course, just involve business email compromise or breaches that lead to fraud. Stubley at 7 Elements says that especially when advanced attackers are at work, they may conclude their intrusion into an organization's network by crypto-locking files and demanding a ransom.

Source: Beazley

Of the breaches Beazley investigated in 2018, 9 percent involved ransomware, and of those attacks, 71 percent hit small and midsize organizations, Beazley warns. From a sector standpoint, meanwhile, one-third of all ransomware attacks it tracked hit the healthcare sector, followed by professional services and financial services (both accounting for 12 percent of all outbreaks), retail (8 percent), education (7 percent) and manufacturing and government (both 6 percent).

Ransomware remains easy for attackers to monetize. "Beazley found that the average ransomware demand in 2018 was more than $116,000, but this was skewed by some very large demands," BBR Services says. "The median was $10,310. The highest demand received by a Beazley client was for $8.5 million - the equivalent of 3,000 bitcoins at the time."

Security experts and law enforcement agencies, however, recommend that whenever possible, organizations put sufficient defenses in place - including maintaining up-to-date and disconnected backups - that will allow them to wipe and restore affected systems, rather than having to consider paying a ransom (see: The Art of the Steal: Why Criminals Love Cyber Extortion).

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.